Wireshark-dev: Re: [Wireshark-dev] About the netmask (Was:Wireshark-commits: [Wireshark-commits
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 6 Jul 2010 23:52:38 -0700
On Jul 6, 2010, at 10:39 PM, Jaap Keuter wrote:

> When working on this parameter I was wondering what was happening here.

What's happening here is that the libpcap filter language (and mechanism) was designed in an era when networking was simpler. :-)  No multiple addresses per interface (which can cause the same problem), no VLANs, etc..

> What if I have an interface with:
> 1. untagged 192.168.16.0/24
> 2. tagged 10.0.0.0/28
> and have a filter 'ip broadcast or vlan and ip broadcast'.

On most OSes, there will be separate interfaces for the raw network and the VLAN, and, if you capture on the raw network, the only address+netmask will be 192.168.16.0/24, so it'll match only on the first.  (Fixing that would require, among other things, that, on at least some platforms, libpcap find the corresponding VLAN interfaces so it can find their netmasks.)

> Or even worse, what if I have an interface with:
> 1. tagged 192.168.16.0/24
> 2. tagged 10.0.0.0/28
> and have a filter 'vlan and ip broadcast'.

See previous comment.

> PS: Holland, Holland!!! ;)

Yeah, yeah, yeah.  We just needed more toxoplasmosis:

	http://www.slate.com/id/2259350/pagenum/all/

(U.S. 12%, Ghana 92%).